Security problem fix#400
Open
HsGalaxy wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
漏洞 1:Gemini 管理路由完全无需认证
中间件在
middleware.py:29中对所有/gemini开头的路径跳过了身份验证:而以下 5 个管理路由注册在
/gemini/v1beta前缀下,且没有任何路由级别的认证依赖,导致任何人无需任何凭证即可直接访问:POST /gemini/v1beta/reset-all-fail-countsPOST /gemini/v1beta/reset-selected-fail-countsPOST /gemini/v1beta/reset-fail-count/{api_key}POST /gemini/v1beta/verify-key/{api_key}POST /gemini/v1beta/verify-selected-keys漏洞 2:AUTH_TOKEN 默认回退为 ALLOWED_TOKENS[0]
当未显式设置
AUTH_TOKEN时,config.py中的__init__会将其静默设置为ALLOWED_TOKENS[0],导致任何普通 API 用户自动拥有管理员权限。修复方案
修复 1:为管理路由添加 Cookie 认证
在
gemini_routes.py中新增verify_admin_cookie()依赖函数,从 Cookie 中验证管理员身份令牌,并将其添加到所有 5 个管理路由上。前端无需修改——
fetch()对同源请求默认携带 Cookie,管理面板页面本身已需要 Cookie 认证才能访问,因此auth_tokenCookie 会自动随请求发送。修复 2:移除 AUTH_TOKEN 自动回退逻辑
移除
config.py中将AUTH_TOKEN静默回退为ALLOWED_TOKENS[0]的代码。AUTH_TOKEN作为管理员凭证必须显式设置。变更文件
app/router/gemini_routes.py— 新增verify_admin_cookie()依赖,5 个管理路由添加认证app/config/config.py— 移除AUTH_TOKEN回退到ALLOWED_TOKENS[0]的逻辑之前未显式设置
AUTH_TOKEN的用户,升级后需要在.env文件中添加:否则管理面板将无法访问。这是有意为之的安全改进。